Cyber security – how much should I spend?

Cyber security costs money – but then, so does cyber insecurity – and the problem with data breach costs is that they are usually accompanied by even more expensive business disruption and reputation damage – often when you need it least!

Increasingly, organisations ask: “How much should we spend on getting ourselves cyber-secure?”

Here are two guidelines:

According to the recently published ISBS 2013 survey, the total cost of cyber insecurity to British business increased three-fold last year. Therefore, whatever you spent on cybersecurity last year, you should spend roughly three times as much this year.

The cost of the worst breach, for smaller organisations, was between £35k and £65k – and, with the median number of breaches for small organisations having climbed to 17, the actual annual cost is likely to be in the order of £100k. So, for a smaller organisation to spend up to £100k in an initial investment in order to reduce the growing annual losses to cyber risk, makes good sense. If you’re a larger organisation, for whom the worst breach costs in excess of £1 million, the necessary investment could easily be of that order.

Of course, how much you actually need to invest does depend on your actual cyber insecurity – and the way to work that out is to compare your current cyber security stance with that described in either the UK Government’s 10 Steps to Cyber security, or in the NIST/CSIS 20 Security Controls. The appropriate framework depends on your organisational size. Yes, you will need to deploy competent and appropriately skilled people to do the assessment, and this is where services like professional cyber security risk assessments come in..